Thingiverse, a community-driven platform for sharing 3D printing templates and other digital design files, has suffered a data breach, with 36GB of unique email addresses and “other personally identifiable information” surfacing on a prominent hacker forum. Troy Hunt, the founder of Have I Been Pwned, acknowledged the breach in a statement to Information Security Media Group.
On haveibeenpwned.com, the breach was announced.
According to Hunt, the stolen backup file looks to include a MySQL database with around 255 million lines of data. There contains “info on the publicly accessible 3D models,” as well as “email and IP addresses, usernames, physical addresses, and complete names.” Date stamps look to be at least ten years old.
Have I Been Pwned tweeted about the existence of “unsalted SHA-1 or bcrypt password hashes” in the data, even though there’s no indication that plain text passwords were exposed. To enhance complexity, salt is random data added to the hashing process (a one-way change). While hashed passwords are still illegible without a lot of work, decrypting them without salt is much simpler.
On October 1st, Twitter user pompompurin found the vulnerability as a consequence of a “misconfigured S3 bucket” from Thingiverse’s backup data.
MakerBot, the company that owns Thingiverse, has been informed of the event but has yet to make a comment as of this writing. It’s a good idea to update your Thingiverse password, as well as the passwords for any other sites where you may have accidentally reused the same credentials.